26

I have a CustomAction as part of an MSI.

It MUST run as a domain account that is also a member of the local Administrators account.

It can't use the NoImpersonate flag to run the custom action as NT Authority\System as it will not then get access to network resources.

On Vista/2008 with UAC enabled if NoImpersonate is off then it will run as the executing user but with the unprivileged token and not get access to local resources such as .installState. See UAC Architecture

Anyone know of a way to either

  • Force the MSI to run with the elevated token in the same way that running from an elevated command prompt does?

  • Force the CustomAction to run elevated (requireAdministrator in manifest doesn't appear to work)?

  • Work out if UAC is enabled and if it hasn't been ran elevated and if so warn or cancel the installation?

Eddie
  • 53,828
  • 22
  • 125
  • 145
Ryan
  • 23,871
  • 24
  • 86
  • 132

3 Answers3

34

Answering my own question for any other poor s0d looking at this.

  • You can't add a manifest to an MSI. You could add a SETUP.EXE or bootstrapper to shell the MSI and manifest that with requireAdministrator but that defeats some of the point of using an MSI.

  • Adding a manifest to a CustomAction does not work as it is ran from msiexec.exe

The way I have tackled this is to set the MSIUSEREALADMINDETECTION property to 1 so the Privileged condition actually works and add a Launch Condition for Privileged that gives an error message about running via an elevated command prompt and then quits the installation.

This has the happy side effect - when an msi is ran from an elevated command prompt deferred CustomActions are ran as the current user with a full Administrator token (rather than standard user token) regardless of the NoImpersonate setting.

More details - http://www.microsoft.com/downloads/details.aspx?FamilyID=2cd92e43-6cda-478a-9e3b-4f831e899433

[Edit] - I've put script here that lets you add the MSIUSEREALADMINDETECTION property as VS doesn't have ability to do it and Orca's a pain.

Community
  • 1
  • 1
Ryan
  • 23,871
  • 24
  • 86
  • 132
  • 5
    If I had enough reputation, I would have edited "set the MSIUSEREALADMINDETECTION property" into "set the MSIUSEREALADMINDETECTION property to 1" so that the reader gets the information without having to follow the link. – Fabien Dec 16 '08 at 12:47
  • What is the hex value of MSIUSEREALADMINDETECTION. or do you simply set MSIUSEREALADMINDETECTION?The reason, I ask this when i run the script, it always goes in the else block and a new property gets added. also, my installer still seems to be running under system account and not the user account – Dhawalk Aug 09 '13 at 21:18
  • @Ryan Not Supported in Windows Installer 3.1 and earlier versions – antonio Mar 01 '18 at 09:17
1

requireAdministrator in the manifest should work.

You can also use a bootloader .exe file which can use ShellExecute with "RUNAS" as the verb (you can use 7-zip to create the bootloader, or there are many other ways).

Peter Crabtree
  • 899
  • 6
  • 5
  • 1
    I thought you could only add a manifest to a .EXE, not an MSI? I've added the manifest to the Custom Action's .EXE but it doesn't seem to work, maybe a side effect of running under msiexec? – Ryan Nov 20 '08 at 05:08
0

You can creating a simple sfx archive file for msi file with Winrar and these options:

  • Setup tab > Run after execution input: your msi file name

  • Advanced tab > Mark Request Administrative access option checkbox

Mohammadreza
  • 3,139
  • 8
  • 35
  • 56